An information security manager has identified and implemented mitigating controls according to industry best practices. Which of the following is the GREATEST risk associated with this approach? 

Answer options:

A. The cost of control implementation may be too high.
B. The security program may not be aligned with organizational objectives.
C. The mitigation measures may not be updated in a timely manner.
D. Important security controls may be missed without senior management input.

B